Official eMule-Board: Help Needed For A Legal Case Regarding Emule! - Official eMule-Board

Jump to content


Page 1 of 1

Help Needed For A Legal Case Regarding Emule!

#1 User is offline   Carson18 

  • Newbie
  • Pip
  • Group: Members
  • Posts: 2
  • Joined: 18-January 18

Posted 18 January 2018 - 06:44 PM

This is a weird case that eMule may hold the key to solve the puzzle and bring the justice to the victim. First, let me provide a brief description about the case:

Before New Year’s Day of 2015, either on the New Year’s Eve or a day before, a 73-year-old man, Mr. Z, saw a decent desktop computer on a refuse pile and pick it up. After New Year, he hooked the computer up and it worked without asking for user credentials. On 1/3/2015, there were 3 child porn movies were downloaded. The file create time and access time were the same for all those 3 movies, apparently was never opened since the file completion time was sometime later than the access time. On 1/5/2015, a policeman in the nearby cyber crime unit randomly selected one hash key from among 4 million entries in the database and use the own program to dock on eDonkey, and downloaded one child porn movie from Mr. Z’s computer that was one of the 3 movies just downloaded 2 days ago in Mr. Z’s house. The police then located Mr. Z’s house based on the IP. Three month later in April 2015, police raided Mr. T f house and confiscated the computer. Police found a total of 14 child porn movies or images on that computer, with the other 11 file having a file creation time ranging from 12/22/2014 to 12/27/2014 before Mr. Z picked up the computer. The police then charged Mr. Z for possessing, viewing and sharing child porn images on eDonkey network. Last month Mr. Z was sentenced for up to 14 years prison (the highest term for such kind of crime) and he is in jail right now. Mr. Z never pleaded guilty and insisted that he never downloaded, viewed, or uploaded any porn movie, not to mention child porn movies.

When I learned this case after the sentence, I felt like the judge, the jurors, the lawyers (3 lawyers worked with Mr. Z and advised him to plead guilty in exchange for less jail time or avoiding jail but Mr. Z never yielded and insisted he was innocent so he fired the 3 lawyers) may not know how computer works, particularly how eMule works. So I need the experts here to help answer the following questions:

1. Is it possible that the time elapsed could be several days between the time the movie file was clicked for downloading and the time the file was generated in the destination computer. This could show if the following scenario is possible: the previous owner of the computer started downloading the 3 movies involved in this case and then disconnected from internet. No file was generated yet when the source was not available or when the network was too slow. After Mr. Z picked up the computer and hooked it up in his house, the downloading resumed and the files were created and completed downloading a couple hours later.
2. Is it possible to trace when and from which IP the downloading process was initiated in the eMule log, on the client computer?
3. Is it possible to locate the IP of the source computer from which the porn movies were downloaded on the eMule log on the client computer?

Mr. Z asked for a copy of the hard drive of the computer that the police confiscated. Due to some procedural mistakes, the judge did not grant his request. In the court hearing, the police did not mention how eMule works, and the eMule logs were never mentioned either.

Mr. Z is 77 years old now and is still in jail. He still claims he is innocent and is going to appeal. So we are seeking expert opinion here regarding how eMule works. Any help will be greatly appreciated!

Carson
0

#2 User is offline   xilolee 

  • eMule 0.50b BETA1 user
  • PipPipPipPipPipPipPip
  • Group: Italian Moderators
  • Posts: 7863
  • Joined: 20-August 08

Posted 21 January 2018 - 12:02 PM

When a user download a file, temporary zero-bytes files are created in emule temp folder.
.Part.met and .part.met.bak files change their sizes almost instantly.
The .part file change its size when at least a byte is downloaded.
The creation date/time should remain in the file properties even after the file is completed and then moved to the incoming folder.
Emule logs should be enabled by the user in the options-extended settings.
Therefore, there shouldn't be logs, because they are not enabled by default: the user should modify the logs settings on purpose.

Hence, those three (or more) files downloaded with emule should have a creation date/time before your client, Mr Z, picked up the machine.

Edit: by the way, for an illetterate person, illetterate with computers: emule could have been set to start with windows, to connect automatically to the network and hence to download files present in emule transfers tab (and in emule temp folder) until their completion, then those files will be moved to the shared files tab (and emule incoming folder).
So yes, it is possible that he downloaded those files without even be conscious of them.
I don't know how you/he can dimostrate he found the "dumped machine".

This post has been edited by xilolee: 21 January 2018 - 10:20 PM

INCONCEIVABLE! - You keep using that word. I do not think it means what you think it means.
come ottenere aiuto italian guides - guide della sezione italiana
italian support - sezione italiana scaricare la lista server
ottenere id alto impostare le porte nel router
recuperare file corrotti i filtri ip
Sembra talco ma non è serve a darti l'allegrIa! Se lo lanci e poi lo respiri ti dà subito l'allegrIa! Posted Image
0

#3 User is offline   fox88 

  • Golden eMule
  • PipPipPipPipPipPipPip
  • Group: Members
  • Posts: 4580
  • Joined: 13-May 07

Posted 21 January 2018 - 07:06 PM

File times have different resolution and are updated at different intervals.
The basic facts could be found in the first abstracts of this Microsoft's article.
0

#4 User is offline   Peerates 

  • Premium Member
  • PipPipPipPipPip
  • Group: Members
  • Posts: 262
  • Joined: 30-January 07

Posted 23 January 2018 - 07:21 PM

hi,
sadly, basing on the file date, you have no possibilities to demonstrate that mr Z is innocent of the charges of illicit download, or not.

there is a lot of possibilities to fake a file's date stamp. it can't be an evidence, at charge or uncharge. a windows system date can be changed temporarly, to reach a past spécific period, or a futur period. and a log file could be faked too, in its content or its times stamp.

it's true that pedo files are a really big big problem on the edonkey network ...

but, is mr Z is really an innocent ?

because, a PC don't connect the net alone and don't launch the eMule program, unless there is a human behind, with a minimal set up.

explanations of mr Z don't really look like persuasive for me, because i know the police's procedures on this subject and how they works to do their job ...and it's very very rare that the police was wrong.

in your case, you have no other choice to call an expert about these subjects ; system & network and also on the edonkey protocol and for the emule prog. i can help you for that and you can mail me if you want, but even here, it will be very hard to proove that mr z is innocent ...
Get the peerates servers list edk.peerates.net/servers/online-servers-list
eDonkey network's stats & historicals edk.peerates.net/servers/network-historicals
eDonkey network's users distribution edk.peerates.net/users/distribution
0

#5 User is offline   Carson18 

  • Newbie
  • Pip
  • Group: Members
  • Posts: 2
  • Joined: 18-January 18

Posted 02 February 2018 - 04:39 PM

xilolee, fox88 and Peerates, thank you very much for you reply and help! I tried to copy a file on both Windows XP and Windows 10. The file create date and file access date changed from it's original date to the time stamp when the file was copied. Therefore, based on what xilolee described, it is likely that the downloaded file could have a time stamp for the creation date that is different from the time you click the file to download. I do not have eMule installed. I am just wondering if someone can help me to make a test: click a legitimate video file to download, then immediately disconnect or shut down the computer, Wait until next day, reconnect or restart the computer so the d eMule downloading will automatically resume and finish downloading the file. Check the file properties to verify the file create, modify and access time. The time stamp should be an solid evidence to show if Mr. Z is innocent or not.

I am not a lawyer and Mr. Z is not my client. I just think Mr. Z deserves justice. Thank you all!
0

#6 User is offline   Peerates 

  • Premium Member
  • PipPipPipPipPip
  • Group: Members
  • Posts: 262
  • Joined: 30-January 07

Posted 05 February 2018 - 04:48 AM

hello,
as i already explain, a file time stamp cannot be a evidence. never.
see on theses links to learn how anybody can do that.

https://superuser.co...stamp-on-a-file
https://www.nirsoft....le_changer.html
https://www.youtube....h?v=CpWVyti0Dx0

you seems to have some difficulties to understand what and where is the problem ; if mr Z is innocent or not is not the real problem : it's a crime to broadcast pedo doc via P2P channels, that you are aware of that ... or not. maybe mr Z did not know what he was doing, but his pc was running and broadcasting illicit files on the network. its ignorance can't be a excuse and there is moments in man life where we have to make attention at what we do ! but i have reals difficulties to accept that a man find a pc somewhere and connect it on the net without any config, and that the pc can continue to download a file under emule without user has to configure any thing at all ... ? and without that user saw emule is running ... ?

a lot of emule users have difficulties to download files, because of a bad config.
they knows what they do and they have to set up their PC according of the internet connection spot.

it will be really great if emule could configure itself alone ...!,
have a nice day
Get the peerates servers list edk.peerates.net/servers/online-servers-list
eDonkey network's stats & historicals edk.peerates.net/servers/network-historicals
eDonkey network's users distribution edk.peerates.net/users/distribution
0

#7 User is offline   fox88 

  • Golden eMule
  • PipPipPipPipPipPipPip
  • Group: Members
  • Posts: 4580
  • Joined: 13-May 07

Posted 05 February 2018 - 08:54 AM

View PostPeerates, on 05 February 2018 - 07:48 AM, said:

it's a crime to broadcast pedo doc via P2P channels, that you are aware of that

Yes. But absence of intention could make a difference.

View PostPeerates, on 05 February 2018 - 07:48 AM, said:

i have reals difficulties to accept that a man find a pc somewhere and connect it on the net without any config

If the PC was found close to home, then the same ISP is very much possible.
In that case none or minimum changes might be required to get a network connection.

View PostPeerates, on 05 February 2018 - 07:48 AM, said:

a lot of emule users have difficulties

The main difficulty is the initial configuring. After that it might run nearly unattended.
0

#8 User is offline   Peerates 

  • Premium Member
  • PipPipPipPipPip
  • Group: Members
  • Posts: 262
  • Joined: 30-January 07

Posted 05 February 2018 - 06:26 PM

priviet fox88 :)

View Postfox88, on 05 February 2018 - 08:54 AM, said:

Yes. But absence of intention could make a difference.


depending of the country laws, but even if judges can be comprehensives they have to follow the law texts. it is surely not a good thing if somebody can be jailed when he is innocent, but it is possible in the real life. we are not in knowledge of this case and we do not have any element which can allow us to think mr Z innocent, or guilty.

but, even if some technical elements could help to demonstrate that mr Z is not involved in these downloads, it seems to me that it will be very hard to transform it in some legally acceptable evidences. perhaps some time stamp can give us an information, but as i said, any time stamp can be easily faked, without a strong knowledge.

so, judges can't accept this as evidence.
and they are right.

View PostPeerates, on 05 February 2018 - 07:48 AM, said:

i have reals difficulties to accept that a man find a pc somewhere and connect it on the net without any config

If the PC was found close to home, then the same ISP is very much possible.
In that case none or minimum changes might be required to get a network connection.[/quote]


well ...it's depending of technical elements we don't have ; if the pc is connected to internet directly it's not the same thing as if it run behind a router. but i agree that it's can be possible, however it seems to me it's very improbable.


Quote

The main difficulty is the initial configuring. After that it might run nearly unattended.


more of 75% of peers connected to the donkey network are in low-id ...
so, is all of these users pass successfully the initial configuration, or not ? :D

anyway, even without a good port redirection, eMule can run with uploads/ downloads okay, in low-id too. it can run better, but it run, even without serious configuration. excepted if a firewall block the traffic and on the moderns versions of windows, (7, and after), firewall are post-install activated

and one more time ; we don't know the version of windows which was involved.
in short, excepted for the theory sides, we are talking in the wind ...

but, this is the opportunity to talk of this enormous problem for our network : pedophilia files exchange. eMule can give access to this kind of content because it still the only real P2P network witch run today. (bt is not really a 'network', it's a protocol.)

people must know it's really easy to trace them on the network, and if police can't be more efficient, it's because they are a lot of work for very little police team.

for 1000 persons around you, 2 to 3 are children attracted. 0.3%. for 70 million of persons in France, we have some 200 000 of them which can be attracted by these kind of document, and going get it on the p2p.


in France, we have some different police team for that. but they can be effective only on 3 or 400 cases by year, because the effective are not enough

400 against 200 000 in potential ...
i think it's horrific and i don't understand this kind of attraction.
but it's surely, that our preferred network is infested of these dirty files.

if anybody want use emule and connect the network, he must be informed of that important point : downloading these kind of files can be make you going to jail ...

bye.
:flowers:
Get the peerates servers list edk.peerates.net/servers/online-servers-list
eDonkey network's stats & historicals edk.peerates.net/servers/network-historicals
eDonkey network's users distribution edk.peerates.net/users/distribution
0

#9 User is offline   fox88 

  • Golden eMule
  • PipPipPipPipPipPipPip
  • Group: Members
  • Posts: 4580
  • Joined: 13-May 07

Posted 06 February 2018 - 01:05 PM

View PostPeerates, on 05 February 2018 - 09:26 PM, said:

more of 75% of peers connected to the donkey network are in low-id ...
so, is all of these users pass successfully the initial configuration, or not ?

The context was given in the first message, so getting high ID subject is totally unrelated.

View PostPeerates, on 05 February 2018 - 09:26 PM, said:

anyway, even without a good port redirection, eMule can run with uploads/ downloads okay, in low-id too.

Here you got it right; any connection will do.

View PostPeerates, on 05 February 2018 - 09:26 PM, said:

excepted if a firewall block the traffic and on the moderns versions of windows, (7, and after), firewall are post-install activated

and one more time ; we don't know the version of windows which was involved.

As we were told, all that was already configured by the previous owner who did not care to clean up anything.
0

#10 User is offline   emule_user_downunder 

  • Advanced Member
  • PipPipPip
  • Group: Members
  • Posts: 60
  • Joined: 20-March 04

Posted 22 June 2018 - 01:56 PM

From experience, many years ago, I can tell you that a 'neglected' computer has mountains of evidence that leaves footprints behind that are hard to clean up.

This can be a bonus for the prosecution or the defendant.

You need a computer expert that is intimately familiar with Windows to have a look at the computer and find those footprints and all will be revealed. Your ISP may also have records they are obliged to keep (by law) of 'metadata' which may provide evidence of the current and previous owners internet connections.

My advice is take a full 'sector' copy of your hard drive that was used in evidence - your lawyers should be able to request a copy from the court to examine it for evidence (unless you are Kim DotCom) - and then examine that without using it again as a system disk and obliterating useful information, and you should find evidence in places like the system log, file dates, registry, log files, and temporary files.

You could also subpoena Microsoft to give you records of the frequent Windows licence connections that are made by Windows to confirm a legitimate licence exists for their software, which will give you IP addresses of where the machine was connected from. They probably have these in their server logs going back far enough to identify the previous owner. This will enable the authorities to trace the previous users IP address, and find them the same way they found 'Mr Z'. These independent 'third party' records will be most useful in court as they will probably all coincide and will convince any judge if they are consistent, unlike file create/modify dates which can be altered by system tools.

Conversely, possession of kiddie porn is an offence in most jurisdictions, regardless of how it was obtained, and what the intention of the offender was.

Best retain a good lawyer that can file an appeal and have expert witnesses that can be called to back up any evidence found on the unmodifed hard drive. The prosecution will most probably have extracted this information anyway if they want to present a bulletproof case to the court.

How do I know? Many years ago where I worked we had a PC in for repair and disk upgrade (disk full and malware/viruses) that was bulging with undesirable/illegal material that came from a parish. The supervisor reported it to the police. The priest told police that kids had access to it at frequent times and must have loaded the kiddie porn material and he had no knowledge of the files. The police who were able to confirm that the priest was lying and he was convicted. After the case became public, many children spoke up that they were molested by the same priest. Sadly, where there is smoke there is often fire.

Time is of the essence, as many of the third party confirmation server logs are overwritten after a period of time so you have to subpoena them fast and comprehensively, which can take time and lots of money. As the offence was in 2015, they may be gone for good by now, and the window of opportunity to appeal, re-examine the hard drive (which may have been disposed of by now by the authorities), and build a good case may have gone.

You do not state in which country Mr Z was convicted, and I am not a lawyer (or even an computer 'expert'), so take these comments as suggestions rather than legal advice and seek an expert in law that understands computers as well.

You have doubts about the conviction. Have them removed. It may free an innocent man, or may convince you that the prosecution did actually do their homework very thoroughly and that Mr Z should rot in prison hell forever. Either way you will know. As a courtesy to forum members, please let us know the final results in a comment in this thread when it is finally re-examined.
0

  • Member Options

Page 1 of 1

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users